How to set up CCISSL with CA Output Management Web Viewer 12.1

Document ID : KB000032444
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary

How to use SSL to Secure the Connection between the Web Viewer Server and CCI.

 

Instructions: 

 
1. The CCI Server task on the mainframe, (typically named CCISSL) must be configured to use SSL. These CCI Server task settings (symbolic parameters) are the main ones required:
 
UNSECON
Specifies communication security. It may be set to allow, or require SSL.
 
PROT
Security protocol used- TLS. 
 
CLAUTH
Specifies if client certificates used. Typically this is “N” (no) but if enabled, Web Viewer (CCI Client) will need a client certificate added to its KeyStore.
 
 
2. On the Web Viewer side, there are new parameters in the config tool to set. The connection test has been enhanced to feed back additional information about any errors.
 
   Web Viewer ships with a sample KeyStore file that contains the same sample certificate delivered with CCI on the mainframe. This sample certificate cci.jks is in this directory:
           C:\Program Files\CA\CA_OM_Web_Viewer\apache-tomcat-7.0.54\webapps\CAOMWebViewer12\config  or 
           /opt/CA_OM_Web_Viewer/apache-tomcat-7.0.54/webapps/CAOMWebViewer12/config
    Modify the path if needed for your environment. You should point to this location when running the configtool.  You can only use this sample certificate if you are using the sample certificates on the mainframe.
 
After running the configtool, you will need to recycle the Web Application Server.
 
You can verify that SSL is being used by reviewing the CCI Server task’s JESMSGLG. Look for messages similar to:
 
CAS9855I Task 0002 has TLSV1 session with yyyyyyyy(::ffff:130.200.148.229)/57714.
CAS9855I Task 0002 and PC using 168-bit 3DES, SHA-1, RSA ("0A").
 
 
If you choose to use a Keystore, the Web Viewer CCI Client interface only uses a Java KeyStore repository file. This is different from what CCI Server supports, but both contain the Trusted Certificate and (optional) Client End User certificate.
 
It is your responsibility to create a KeyStore file if you are using your own certificates. 
 
The Keytool supports these two certificate formats:
- Trusted Certificate: Base64 encoded certificate file containing the CCI server’s public key in X.509 
format. Typically, a PEM file.
- Client End User Certificate: A certificate file in PKCS#12 format, containing the public and private key 
in X.509 format. The private key will be password protected

 

Additional Information:

The Web Viewer documentation (in the wiki) includes a topic for creating the KeyStore using the JRE keytool utility program - Create Keystore Files for CAICCI SSL.
Build 85 or higher - RO78064 DRAS UNAVAILABLE ERROR WITH SSL BUILD 78 FOR SOCKET CLOSURE is required to use CCISSL.  Always apply the latest apar available for Web Viewer 12.1 if possible.  Apars are cumulative including all prior maintenance.

 

Also refer to Common Services TEC413258 CAICCI-SSL and External Security